nix-files/hosts/by-name/servo/services/matrix/signal.nix

# config options:
# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
{ config, pkgs, ... }:
{
  sane.persist.sys.plaintext = [
    { user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }
    { user = "signald"; group = "signald"; path = "/var/lib/signald"; }
  ];

  # allow synapse to read the registration file
  users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];

  services.signald.enable = true;
  services.mautrix-signal.enable = true;
  services.mautrix-signal.environmentFile =
    config.sops.secrets.mautrix_signal_env.path;

  services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";
  services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
  services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";
  services.matrix-synapse.settings.app_service_config_files = [
    # auto-created by mautrix-signal service
    "/var/lib/mautrix-signal/signal-registration.yaml"
  ];

  systemd.services.mautrix-signal.serviceConfig = {
    # allow communication to signald
    SupplementaryGroups = [ "signald" ];
    ReadWritePaths = [ "/run/signald" ];
  };

  sops.secrets."mautrix_signal_env" = {
    mode = "0440";
    owner = config.users.users.mautrix-signal.name;
    group = config.users.users.matrix-synapse.name;
  };
}
mautrix-signal: configure correct permissions so that i can use the bridge 2023-01-17 07:57:24 +00:00			`# config options:`
			`# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>`
mautrix-signal: define the shared secrets statically 2023-01-16 11:43:17 +00:00			`{ config, pkgs, ... }:`
add mautrix-signal (experimental) 2023-01-16 09:03:56 +00:00			`{`
signald: update, and persist the /var/lib/signald accounts directory 2023-01-25 05:57:46 +00:00			`sane.persist.sys.plaintext = [`
persist: allow persisting of individual files, not just directories i actually do already, with ~/.ssh/id_ed25519 -- it works only as a fluke 2023-07-08 00:56:20 +00:00			`{ user = "mautrix-signal"; group = "mautrix-signal"; path = "/var/lib/mautrix-signal"; }`
			`{ user = "signald"; group = "signald"; path = "/var/lib/signald"; }`
signald: update, and persist the /var/lib/signald accounts directory 2023-01-25 05:57:46 +00:00			`];`

matrix: disable mautrix-signal (temporarily) 2023-03-11 00:02:30 +00:00			`# allow synapse to read the registration file`
			`users.users.matrix-synapse.extraGroups = [ "mautrix-signal" ];`

add mautrix-signal (experimental) 2023-01-16 09:03:56 +00:00			`services.signald.enable = true;`
			`services.mautrix-signal.enable = true;`
mautrix-signal: define the shared secrets statically 2023-01-16 11:43:17 +00:00			`services.mautrix-signal.environmentFile =`
			`config.sops.secrets.mautrix_signal_env.path;`
add mautrix-signal (experimental) 2023-01-16 09:03:56 +00:00
matrix: allow mautrix-signal to communicate with signald 2023-01-16 11:54:32 +00:00			`services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";`
mautrix-signal: get a little closer to working it looks like mautrix-signal reads the appserver token (AS_TOKEN) from its config file -- which we place in the nix store. as such, we have no easy way of getting the token from registration.yaml over to mautrix-signal. this is presumably what the environmentFile stuff is meant for, but it doesn't really help much. i think it makes sense to pursue coffeetables' nix-matrix-appservices module, which has good-looking AS_TOKEN support: <https://gitlab.com/coffeetables/nix-matrix-appservices> 2023-01-16 10:22:41 +00:00			`services.mautrix-signal.settings.homeserver.domain = "uninsane.org";`
mautrix-signal: configure correct permissions so that i can use the bridge 2023-01-17 07:57:24 +00:00			`services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";`
add mautrix-signal (experimental) 2023-01-16 09:03:56 +00:00			`services.matrix-synapse.settings.app_service_config_files = [`
			`# auto-created by mautrix-signal service`
			`"/var/lib/mautrix-signal/signal-registration.yaml"`
			`];`
mautrix-signal: define the shared secrets statically 2023-01-16 11:43:17 +00:00
matrix: allow mautrix-signal to communicate with signald 2023-01-16 11:54:32 +00:00			`systemd.services.mautrix-signal.serviceConfig = {`
			`# allow communication to signald`
			`SupplementaryGroups = [ "signald" ];`
			`ReadWritePaths = [ "/run/signald" ];`
			`};`

refactor hosts directory, and move ssh keys out of modules/data longer-term, i want hosts/by-name to define host-specific data that's accessible via the other hosts (things like pubkeys). also the secrets management needs some rethinking. there's really not much point in me specifiying where exactly a secret comes from at its use site. i should really be specifying secret store manifests; i.e. "servo.yaml contains secrets X Y and Z", and leaving the rest up to auto-computing. 2023-01-19 23:23:41 +00:00			`sops.secrets."mautrix_signal_env" = {`
mautrix-signal: define the shared secrets statically 2023-01-16 11:43:17 +00:00			`mode = "0440";`
			`owner = config.users.users.mautrix-signal.name;`
			`group = config.users.users.matrix-synapse.name;`
			`};`
add mautrix-signal (experimental) 2023-01-16 09:03:56 +00:00			`}`